Brigadier General Hans Folmer MSc MSS1
Internet and internet services have become prevalent in our society for many people. Smart devices have become commonplace and a smartphone allowing immediate access to the internet has become the rule. This has changed the way we live, disrupted and generated entirely new business models. Directions are provided to us on the go while the sale of paper maps have been steadily declining. If we are lucky enough, voice enabled interfaces are able to provide us immediate answers, to questions that first required more research. Ordering personal transport is easier than ever, by using an app we are able to obtain a transparent ride for a set price and get an idea of the driver’s reliability. We can even opt to book a room in a stranger’s home instead of a more traditional hotel. Tomorrow holds great promises as well, with emerging tech such as the potential of Quantum Computing holding potentially new significant advances – but also disadvantages - in the digital era. The internet has opened up our society and boosted the transparency of the services we use.
In the military domain, however, openness and transparency are usually not the prevailing values. And to the average listener, military cyber operations sound even more mysterious. Military cyber operations are currently still viewed as ambiguous, elusive and concealed. What doesn’t help in this regard, is that up until now, integrating military cyber operations in the planning process has been an ongoing challenge. Awareness is growing, however, and progress is being made, not in the least due to the Tallinn Manual 2.0 efforts.
In this presentation, I intend to ‘Demystify Cyber Operations’, because we need transparency, openness and a shared understanding to cooperate among nations and industries beyond our national frontiers. During my speech I will touch on some subjects which will be further elaborated upon by other speakers today.
Almost seven years ago I was asked to lead the Netherlands Armed Forces efforts to build up cyber capabilities. Next to the already existing branches of cyber security, cyber intelligence and later cyber law enforcement, I was tasked to establish a unit to support military operations with cyber capabilities. Not just defensive, but also offensive capabilities. As I look back on those seven years, the general cyber landscape has changed. Today the Netherlands has an Armed Forces Cyber Command of which I am the proud commander.
The rationale behind it was that digitization did not only bring societal changes, opportunities and wealth, but also altered the battlefield. During operations, plans are distributed via wireless connections, targets are fired upon using GPS coordinates, we gain situational awareness via live stream, and our supply vehicles contain more computers than our offices. We no longer have armoured vehicles, frigates or planes, but driving, sailing and flying computers.
This is not only the case for our own forces and our allies, but our opponents also rely heavily on digitization of their command and control, fire power and logistics. The current battlefield encompasses more than physical objects alone. Digital assets and connections can also be targeted to gain advantage over the opponent. Cyber operations are crucial means to do so and have fundamentally changed the conventional battlefield. There is however, still a long way to go, both from a technical and from a doctrinal point of view. Preparing cyber operations takes time. Intelligence needs to be gathered well in advance and based on this intel, multiple attack scenarios need to be created. The preferred cyber weapons require testing and finally, code needs to be built at the moment of deployment.
An example of a cyber-operation could be the disruption of take-off and landing of airplanes from an airfield in a contested area. This could be shut down by disrupting its flight control systems instead of bombing the runway which leads to a lot of damage and casualties. A cyber operation can temporarily disrupt flight operations leaving the runway intact for future use by our own troops.
In the Tallinn manual a cyber-operation is described as: “The employment of cyber capabilities to achieve objectives in or through cyber space”. A cyber-attack is described as: “A cyber operation, whether offensive of defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.
The basis is Cyber Security, the need to operate safe and secure in your own digital environment. This includes defensive counter cyber operations and hunting for adversaries in your own network. As soon as we operate in the digital environment of others where we do not have free access, we talk about offensive cyber operations, which of course can have a defensive posture. Offensive cyber operations are scoped at information-related capabilities, which are linked to the information warfare capabilities of psychological operations, military deception, operational security, computer network operations and electronic warfare, as well as various kinds of intelligence.
We distinct four types of offensive cyber operations. The first are offensive counter cyber ops, an attack to prevent the adversary from attacking us. Secondly, cyber surveillance and reconnaissance in order to get an impression of the digital landscape of the opponent. What are the opponent’s dependencies and vulnerabilities? Third, offensive cyber can be used in support of other military operations and the fourth, ultimately, is an offensive cyber operation on its own. Offensive Cyber Operations are about achieving military effects that encompass denial, degradation, disruption or destruction of data in order to achieve 2nd and 3rd order effects in the physical and cognitive domain.
This differentiates cyber operations from intelligence operations, which are aimed at covered information gathering in general and more specific at the opponent’s digital systems and provides us insight in their means. This information is used to find an attack opportunity for a cyber-operation aimed at disrupting the opponent’s Freedom of Manoeuvre in the digital environment and denying access to objects as the example of the airfield showed.
Advanced cyber capabilities or cyber weapons require more than just a piece of malware or a form of live hacking. Cyber capabilities include people, technology, intelligence and processes. People with up-to-date coding skills, knowledge of state-of-the-art computer science techniques, creativity to design code and of course determination to debug the code. Technology, the tools to develop and to test and systems to store and communicate with our partners. Intelligence, the information about means and dependencies and vulnerabilities of our opponents. And last but not least processes, the development process including testing, debugging and the military planning and decision-making process.
In the field of Cyber Security, countries have been mutually cooperating and have been working together with industries to secure our own networks and systems. An excellent example of this is the NATO Computer Incident Response Capability or NCIRC. This Technical Centre provides services to prevent, detect, respond to and recover from cyber security incidents. Cyber defence is actually a part of the NATO Alliance core task of collective defence. It strives to integrate cyber defence into operational planning by creating indications and warning, potentially identifying potential threats. Currently, the Military Committee of NATO alongside SHAPE and the nations have been working on creating procedures that would enable nations to potentially integrate national offensive cyber effects in NATO operations, whenever such would be the desired response. Hand in hand with this development is the creation of up to date Cyber ROE’s and the assessment of appropriate Targeting processes, all of course to be in synch with any obligations of the Law of Armed Conflict (as my colleagues will elaborate on later).
Now that NATO and others have adopted cyber as a domain of operations, increasing cooperation in the Cyber Domain similar to the way we cooperate in the conventional domains, is essential. Within NATO we contribute to the enhanced Forward Presence of the four battlegroups in Poland, Lithuania, Latvia and Estonia. The Netherlands supports this mission with troops together with 15 other nations and has deployed a Cyber Mission Team. We also contribute to the Very High Readiness Joint Task Force or VJTF. These partnerships are clear examples of a robust, multinational, and combat-ready mission to show that an attack on one Ally will be considered an attack on the whole NATO Alliance. Cyber operations should be an integral component of these missions and of our cooperation.
We need clear definitions of cyber operations when operating in a multinational context and these are currently lacking. In the Netherlands we distinct four types of offensive cyber operations, but do we all share this view? Do we have the same ‘modus operandi’ to conduct cyber operations? How do we coordinate our multinational operations in the cyber domain? We need a common Doctrine as currently drafted by the CCDCOE that provides a shared understanding to answer these questions in order to conduct cyber operations in the NATO alliance or in other international partnerships. Based on this doctrine mandates and Rules of Engagement can be further derived and used in cyber operations to support the military objectives of the missions.
After working in the Cyber domain for seven years, I am convinced that cyber operations should be just as common in current military operations as the smartphone is in our daily life. Part of ‘Demystifying Cyber Operations’ is observing that ‘Cyber is not something special, but maybe something new’. Cyber operations are an integral part next to the physical and cognitive actions to achieve the desired operational end state. However, hurdles remain in relation to establishing definitive ROE; institutionalizing the integration of cyber effects in operational planning; and creating a framework for shared Cyber definitions to effectively deploy cyber operations. Therefore, it is important that we contribute to the development of the various doctrine and frameworks for integrating cyber into operations. I believe that this conference, celebrating the 1-year anniversary of the Tallinn Manual 2.0, is a great
impulse for further steps towards multinational cooperation and fosters a common understanding of the use of cyber in future conflicts.